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Arranging data ciphering in a wireless telecommunication sys- 
tem 

BACKGROUND OF THE INVENTION 

The invention relates to an-anging data cipliering in wireless tele- 
5 communication systems and particularly in Wireless Local Area Networks 
WLAN. 

Recently various wireless local area networks have become com- 
mon in addition to Public Land Mobile Networks PLMN. Such wireless local 
area networks include for example networks based on IEEE802.11 standard. 

10 Particular attention has been paid to the safety of 1EEE802.11 networks by 
producing a Wired Equivalent Privacy WEP function. The WEP describes traf- 
fic ciphering on layer 2 (MAC) between a tenninal and an access point sup- 
porting IEEE802.11 standard. The WEP is a symmetrical algorithm, in which 
the same ciphering key is used for enciphering and deciphering data. 

-15 However, a problem in some wireless telecommunication networi<s, 

such as IEEE802.11 WLAN networt<s. is that the ciphering keys used for ci- 
phering traffic must be stored in advance in the temiinal and access point. If 

XI *. A. r.ot ho>/o thp. Ramft kftv as the terminal, then the data be- 

tween the network and the terminal cannot be ciphered. To add different ci- 

20 phering keys is difficult, and a safe data transmission cannot always be offered 
for terminals moving in different networks. 

BRIEF DESCRIPTION OF THE INVENTION 

It is an object of the invention to provide a new method for creating 
the keys to be used In ciphering for a wireless local area networic and for em- 

25 ploying them so as to avoid the above problems. The objects of the invention 
are achieved with a method, a system, a terminal and an access point, charac- 
terized in what is disclosed in the independent claims. The preferred embodi- 
ments of the invention are disclosed in the dependent claims. 

The invention is based on the idea that a so-called second cipher- 

30 ing key is calculated in the tenninal and in the public land mobile networi< on 
the basis of at least one so-called first ciphering key according to the public 
land mobile network. The second ciphering key is sent from the mobile net- 
work to the wireless local area network. The data between the tenninal and the 
networi< is enciphered and deciphered in the tenninal and in the wireless local 

35 area networi< using the second ciphering key. 
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This provides the advantage that in the wireless local area network 
the mobile network and the identity module offered thereby can be utilized for 
calculating the ciphering key to be used. The wireless local area network can 
dynamically be offered a ciphering key for mobile temiinals when the temiinal 
IS establishing a connection. In such a case the ciphering key need not be 
stored in the wireless local area network in advance. 

According to a prefen-ed embodiment of the invention at least one 
authentication response according to the mobile network is calculated in the 
temninal and in the mobile network on the basis of at least one challenge code 
and a ciphering key. A check response is calculated In the terminal on the ba- 
sis of at least one authentication response and the first ciphering key The 
check response is sent to the mobile networi<. The check response is calcu- 
lated in the mobile network on the basis of at least one authentication re- 
sponse and at least one first ciphering key. The check response sent by the 
temiinal is compared with the check response calculated by the mobile net- 
work. The second ciphering key is sent from the mobile networic to the wireless 
local area network, if the check response sent by the terminal and calculated 
by the mobile networic correspond with one another. This embodiment pro- 
vides the advantage that a subscriber (identity module) can be reliably authen- 
ticated in the mobile network. Consequently a data transmission connection 
and data ciphering can be allowed only for the authenticated terminals in the 
wireless local area networks. 

In accordance with another preferred embodiment of the invention 
a protection code is sent from the temiinal to the mobile network. The mobile 
networi^ calculates a check sum using the protection code and at least one 
first ciphering key. The check sum is sent to the terminal to be checked The 
second ciphering key is calculated in the terminal if the received check sum is 
correct. This has the advantage that the reliability of the mobile networic is en- 
sured in the temiinal, meaning that the terminal knows whether the mobile 
30 networic possesses the secret key associated with the Identity module. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In the following the invention will be described in greater detail in 
connection with the preferred embodiments with reference to the accompany- 
ing drawings, in which 
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Figure 1 is a b\ock diagram showing a wireless telecommunication 
system according to a preferred embodiment, 

Figure 2 is a signalling diagram showing the authentication and the 
calculation of a ciphering key according to a preferred embodiment, 
5 Figure 3 illustrates the arangement of ciphering between a tenninal 

and an access point according to a preferred embodiment. 

Figure 4 illustrates ciphering means for enciphering data, and 

Figure 5 illustrates ciphering means for deciphering data. 

DETAILED DESCRIPTION OF THE INVENTION 

10 The Invention can be applied in any wireless telecommunication 

system comprising a wireless local area network and a public land mobile net- 
work. Figure 1 shows a telecommunication system according to a preferred 
embodiment of the invention. The system comprises a mobile tenninal MT, a 
WLAN network according to IEEE802.11 standard and a public land 

15 mobile network, in this embodiment a GSM network GSMNW. The invention 
can however, also be applied in other networks: the wireless local area net- 
work may. for example, be a network according to BRAN standards (Broad- 

. ^ . . ^ A DDAM c+onHarHs nnmnrise HIPERLAN stan- 

oano Kauio /\c.i.tr>» i^ciwirwuxy. w,v..>< . ,- 

dards (High Perlormance Radio Local Area Network) of type 1 and 2, HIPER- 
20 ACCESs'and HIPERLINK standards. The mobile network is not either limited 
to the GSM network but the invention can also be applied for instance in a 
UMTS network (Universal Mobile Telecommunications System). 

A WLAN network operator, WISP (Wireless Internet Service Pro- 
vider) offers wireless IP-based services in accordance With a preferred em- 

25 bodiment so that the terminals MT are able to move in different typically highly 
loaded hot spots, such as hotels, airports etc. The WLAN network WLAN 
comprises WLAN access points AP offering a wireless connection for several 
terminals MT. IEEE802.11 standard determines the physical layer and MAC 
layer protocols for data transmission over the radio Interface. Infrared or two 

30 spread spectrum techniques (Direct Sequence Spread Spectrum DSSS. Fre- 
quency Hopping Spread Spectrum FHSS) can be used in data transmission. 
Both spread spectrum techniques employ e.g. 2.4 gigahertz frequency bands. 
In accordance with IEEE802.11 standard a so-called CSMA/CA technique 
(Carrier Sense Multiple Access with Collision Avoidance) is used on the MAC 

35 layer. 
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A Subscriber Identity Module SIM. which Is specific for the GSM 
network. ,s connected to the terminal equipment TE of the terminal MT mean- 
.ng that the terminal MT comprises both the TE and the SIM. Different Identity 

5 UMtT r T r' '"'^"""'■"9 °" mobile networic; the 

5 UMTS network, for example, employs an identity module USIM (UMTS Sub- 
sc^ber Identity Module). The SIM is typically stored on an ,C card (Integrated 
Circuit) wh,ch can be changed from one equipment TE to another. The SIM is 
provided by the mobile network GSMNW operator, and data concerning the 
SIM IS stored ,n the mobile network GSMNW. The SIM comprises an Intema- 
10 t.onal Mobile Subscriber Identity IMSI which represents the subscrlbert "e 
networic. thus operating as an identifier of the terminal MT. The terminal 
equ-pment TE of the temiinal MT may also Include a specific International Mo- 
bile Equipment Identity IMEI. which Is not really relevant for the Invention. The 
SIM also comprises a secret key Ki. an algorithm A8 for forming a ciphering 
key Kc and an algorithm A3 for fom^ing an authentication response SRES 
(Signed Response). 

nf »h. MT ^^M!"^ ^"^P""^" "^^^"^ CM for controlling the operation 

of the MT and the communication between the MT and the wireless local area 
network WLAN by utilizing the memory M. The control means CM calculate 
among other things, the second ciphering key in the MT as will be described 
be ow By means of card reading means (not shown) included in the MT the 
CM may utilize the subscriber identity module SIM and the data therein The 
MT also comprises a transceiver TxRx for communicating with at least the ac 
cess po,nt AP of the networic WUN. The MT may be. for example, a portable 
computer with a WLAN adapter card comprising an IC card, a smart card or 
the like. The terminal MT may also comprise a GSM mobile station part for 
communicating with the GSM networit. 

nlv h« t Ir ^k"^"^" ""^^ ^ "^^"^'^ ^^^orK sim- 

ply by establishing a connection with another mobile temiinal. What are known 

as infrastmcture networi<s are fomied by establishing connections between the 

access points AP and the temilnals MT. The access points AP offer networic 

connections to the temiinals MT. thus fomiing a so-called Extended Service 

Set ESS The access points AP control at least the allocation of transmission 

times data reception, buffering and the transmission between the temiinal MT 

' m?.M "^^y sub-networics. A logi- 

cal WLAN network WUVN may. in turn, comprise one or more sub-networtcs 
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The WLAN network WLAN may also offer a connection through a 
gateway to other networks, such as the Internet. The connection to other net- 
works can be arranged from the network WLAN through a Public Access Con- 
troller PAC. The PAC is an entity of the network WLAN that controls the ac- 
5 cess to the Intemet services, for example. In accordance with a prefen-ed em- 
bodiment it allocates an IP address to the terminal MT and allows a connec- 
tion to be established to the Intemet only if the terminal MT can be authenti- 
cated Typically the WLAN network NW also comprises other servers, such as 
a Dynamic Host Configuration Protocol DHCP server which allocates IP ad- 
10 dresses in the network WLAN. 

The mobile network GSMNW comprises one or more Mobile 
Switching Centers MSCA/LR typically comprising a Visitor Location Register 
VLR and/or GPRS operating nodes SGSN (Serving (General Packet Radio 
Service) Support Nodes). The mobile network GSMNW also compnses a 
1 5 GSM/GPRS Authentication and Billing Gateway GAGW, which Is connected to 
the Internet The GAGW is an entity In the mobile network GSMNW offenng 
authentication services of mobile subscribers to the WLAN networks WLAN 
and preferably also collects billing infomnation. Hence, the subscriber data and 

the authentication sen/ices ot ine niounB iiciw«w..N ^ 

20 serving the terminals MT comprising the identity module SIM in the WLAN 
networi. WLAN. The terminal MT user does not need to have a pre-agreed 
agreement with the operator of the WLAN network WLAN. A visiting terminal 
MT may use the identity module SIM and the mobile networi. GSMNW for im- 
plementing authentication and billing when visiting the network WIAN. In such 
25 a case the wireless connection offered by the network WLAN can be billed 
through the GAGW of the mobile network GSMNW. The WLAN operator may 
later compensate the mobile operator for the use of the network. 

As is known from the GSM system, the home network of the sub- 
scriber with the identity module SIM comprises subscriber data which is stored 
30 in the GSM Home Location Register HLR. The entity PAC in the WLAN net- 
woric WLAN sends authentication and billing data to the gateway GAGW. The 
GAGW may use known GSM signalling for requesting authenticaton data for 
the identity module SIM. and perfom. the authentication and the calculation of 
the cipering key as will be described below. If the SIM can be authenticated. 
35 the PAC may offer a connection to the Internet or to other parts of the networi< 
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WLAN. The PAC may also use other methods than the SIM-based authentica- 
tion for identifying the terminal MT. such as the identification of the password 

The PAC may transmit user data between the Internet and the ter- 
minal MT. The interfaces between the terminal MT and the controller PAC and 
. between the PAC and the GAGW are IP-based in accordance with a preferred 
embodiment of the invention. It should be noted that also other techniques 
than the IP can be used. In contrast to Figure 1. the Internet is not necessarily 
needed between the PAC and the GAGW, even if the IP protocol is used 
From now on It is assumed that the IP is used, in which case the MT the PAC 
and the GAGW are identified using the IP addresses thereof. The' interface 
between the gateway GAGW and the mobile network GSMNW depends on 
the implementation, for example, when the mobile network is a UMTS net- 
work, said interface may be different in comparison with the GSM network 
The gateway GAGW covers the infrastructure of the mobile network GSMNW 
from the PAC. Therefore, the interface between the PAC and the GAGW re- 
mains the same irrespective of the mobile network GSMNW. 

Figure 2 shows the essential functions according to a preferred em- 
bodiment of the invention for authenticating the tenDinal MT and for calculating 
a ciphering key. The terminal MT is offered an identifier IMSI and a secret key 
Ki by the subscriber identity application SIM included therein. The authentica- 
tion process of the tenninal MT is typically triggered when the MT starts setting 
up a connection 201 (Connection setup) with the WLAN network WLAN Then 
the MT is provided with an IP address through a DHCP server (Dynamic Host 
Configuration Protocol). Before the temilnal MT is allowed to establish a con- 
nection with other networks than the network WLAN. the authentication must 
be perfomried in an acceptable manner. 

The MT requests 202 (IMSI request) the identity module SIM for the 
IMSI identifier and the SIM retums 203 the IMSI identifier. The MT sends 204 
the authentication starting request (MT_PAC_AUTHSTART^REQ) which pref- 
erably comprises a Network Access Identifier NAI. The NAI comprises the 
IMSI Identifier obtained from the identity module SIM. The NAI may be pre- 
sented, for example, in the form 12345@GSM.org. where 12345 is the IMSI 
Identifier and GSM.org is the domain name of the mobile neiwork, which has 
conveyed the identity module SIM. The request 204 is preferably sent in ci- 
phered fomi to the PAC using the Diffie-Hellman algorithm, for example. The 
MT preferably a/so sends a specific protection code MT_RAND in the request 
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204, said code typically being a challenge code. Using the protection code 
MT^RAND the MT may later be ensured that the party conveying the GSIVI 
triplets actually has access to the secret key Ki, which is to be maintained in 
the GSM home network of the subscriber. However, the use of the protection 

5 code is not obligatory. 

The PAC deciphers the request 204 if needed and sends 205 the 
GAGW a request (PAC_GAGW_AUTHSTART_REQ) based on the domain 
part of the network identifier NAI for authenticating the identity module SIM 
according to the IMSI identifier. This message comprises the network identifier 

1 0 NAI and the protection code MT_RAND sent by the temilnal MT. 

The GAGW requests 206 (Send_Parameters) at least one triplet 
from the mobile network GSMNW. This can be an^nged so that the GAGW 
transmits the request to the nearest mobile services switching center 
MSCA/LR (or to the operation node SGSN). The MSCA/LR checks the IMSI 

15 identifier and sends a request to the home location register HLR of the net- 
wort^ possessing the identity module SIM, the HLR typically comprising an Au- 
thentication Center AuC (the GSMNW AuC in the Figure). In the first calcula- 
tion means included in the mobile networi^ GSMNW. i.e. when the GSM net- 
work is concemea, ine auinenuuauun ocmoi y-^u^.. v ■ 

20 one or more GSM triplets (PJ^.ND. SRES. Kc) in a known manner using the 
secret key Ki according to the IMSI identifier. A GSM triplet comprises a chal- 
lenge code, i.e. a random number, RAND, an authentication response SRES 
fomied on the basis of the RAND and a secret key Ki using an algorithm A3, 
and a first ciphering key Kc formed on the basis of the RAND and the secret 

25 key Ki using an algorithm A8. The HLR sends the triplet to the MSC/VLR 
which forwards the triplet to the GAGW 208 (Send_Parameters_Result). The 
mobile networi^ GSMNW can also send several triplets, whereby the GAGW 
preferably selects one and stores the other triplets for later use. 

The GAGW preferably also calculates 209 (Calculate SIGNrand) a 

30 check sum or a message authentication code SIGNrand using the protection 
code MT_RAND sent by the terminal MT and the Kc. The SIGNrand is a cryp- 
tographic check sum which allows to ensure that the data sent actually origi- 
nates from the entity having a connection with the secret key Ki in the mobile 
networic GSMNW. 

35 The GAGW sends 210 the PAC an acknowledgment message of 

the authentication request GAGW_PAC_AUTHSTART_RESP comprising one 
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or more challenge codes RAND for the terminal MT and preferably also a 
check sum SIGNrand. This message may also include data associated with 
billing^ The message can also be ciphered using the protection code MT- 
RAND The PAC sends 21 1 the terminal MT an acknowledgment message of 
the authentication request PAC_MT_AUTHSTART_RESP comprising at least 
one challenge code RAND and preferably the check sum SIGNrand 

The terminal MT feeds 212 the challenge code/s RAND into the 
Identity module SIM. The SIM calculates 213 (Calculate Kc(s)) at least one 
first ciphering key Kc according to the mobile network GSMNW and an 
authentication response (responses) SRES In a manner tfiat con^esponds with 
the one used in the authentication center AuC and transmits 214 these to the 
other parts of the temiinal MT (preferably to the control means CM carrying 
out authentication and the calculation of the second ciphering key K) The MT 
can check 215 (Check SIGNrand) the check sum SIGNrand sent by the PAC 
on the basis of the data (Kc) obtained from the SIM and the protection code 
MT_RAND. If the received SIGNrand corresponds with the value obtained on 
the basis of the Kc values calculated by the identity module SIM. the MT or to 
be more precise, the CM calculates 216 (Calculate SIGNsres) the check re- 
sponse SIGNsres to be transmitted to the GAGW. The SIGNsres is preferably 
a hash function calculated from one or more first ciphering keys Kc and au- 
thentication responses SRES enabling the GAGW to authenticate the MT The 
MT may also request the user to approve the billing data possibly sent by the 

The second calculation means included in the MT, preferably the 
control means CM. calculate 217 (Calculate K) a second ciphering key K using 
one or more first ciphering keys Kc according to the mobile network GSMNW 
calculated by the SIM. The K is calculated in accordance with a preferred em- 
bodiment as follows: 

K = HMAC (n*Kc, n*RAND | IMSI I MT_RAND). where 

HMAC is a mechanism for the authentication using tfie hash func- 
tion, 

n*Kc is n Kcs, 
n*RAND is n RANDs, 

IMSI is the subscriber identity from SIM and 
MT_RAND is the challenge code generated by the MT. 
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The second ciphering key K calculated in this way is more difficult to 
define than the first ciphering key Kc. and the ciphering obtained is stronger 
than the GSM ciphering. The MT stores the K in the memory M thereof or in 
the smart card memory for later use. For example. MD5 and SHA-1 algorithms 
5 can be used for calculating the K. 

The MT sends 218 the PAC an authentication response message 
(MT_PAC_AUTHANSWER_REQ). The message comprises at least the check 
response SIGNsres and the protection code MT_RAND of the MT (as prefera- 
bly all the messages associated with authentication). The PAC sends 219 the 
10 GAGW an authentication response message (PAC_GAGW_AUTHAN- 
SWER_REQ) comprising the networi< Identifier NAl and the address infomia- 
tion of the PAC in addition to the data in the message (218) sent by the temii- 
nal MT. The GAGW checks 220 (Check SIGNsres) the check response 
SIGNsres sent by the temiinal MT. It is also possible that the GAGW gener- 
15 ates the check response SIGNsres when calculating (209) the check sum 
SIGNrand. If the SIGNsres calculated by the GAGW con-esponds with the 
SIGNsres value sent by the temnina! MT. the check is successful and the ter- 
minal is acceptably authenticated. 

If the authentication is accepiauie, uic o^ownvi ^^cw-.^^v, ..- 

20 the mobile networi<. or the GAGW. calculate 221 (Calculate K) the second ci- 
phering key K using at least one first ciphering key Kc according to the mobile 
networic GSMNW. The K is calculated in the same way and using the same 
parameters as the temiinal MT uses for carrying out the calculation (217): 
K = HMAC (n*Kc, n*RAND 1 IMSI 1 MT_RAND). 
25 It is also possible deviating from Figure 3 that the GAGW calculates 

and stores in its memory the second ciphering key K when obtaining the triplet 
from the networi< GSMNW (208) and sends the K stored in the memory to the 
WLAN network WLAN if the authentication is acceptable. 

The GAGW infonns 222 the PAC about the authentication being 
30 accepted (GAGW_PAC_AUTHANSWER_RESP_OK). This message com- 
prises at least the second ciphering key K. Infomnation on services that the MT 
is authorized to use (such as quality of service QoS data) can also be sent In 
the message 222. The PAC infomns 223 the terminal MT about the authentica- 
tion being accepted (PAC_MT_AUTHANSWER_RESP_OK). Authentication is 
35 then performed and both the terminal MT and the PAC comprise a similar 
second ciphering key K which can be transmitted to the ciphering means per- 
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forming ciphering for ciphering traffic. 

If the authentication is not successful, the message 222 (and 223) 
comprise the data on authentication failure and the terminal MT is preferably 
not offered any services in the networit WLAN. 

The data transmission between the tenninal MT and the access 
controller PAC may utilize messages based on an IKE (Internet Key Ex- 
change) protocol. Messages based on a RADIUS (Remote Authentication Dial 
In User Service) protocol can, In turn, be used between the PAC and the 
GAGW. 

Figure 3 illustrates a ciphering an-angement between the tenninal 
MT and the access point AP according to a preferred embodiment of the in- 
vention. When the MT finds an accessible access point AP. it preferably sends 
a request 301 (Open_system_authentication_request) for open system au- 
thentication in accordance with IEEE802.11 standard to the access point AP 
In practice the open system authentication does not carry out an actual au- 
thentication, whereby any IEEE802.1 1 standard MT can be authenticated. The 
MT only infomns about its identity in the request 301. The AP sends 302 
(Open_system_authentication_result) a response to the MT. 

If the AP accepts the MT to its network, the MT requests 303 (As- 
sociation_request) for association to the networi< WLAN. The AP responds 
304 (Association_response) to the request. Association is carried out so that 
the WLAN networi< WLAN knows to which AP the data directed to the MT 
should be sent. The tenninal MT must be associated to one access point AP 
at a time, in order to send data through the AP. 

After this, authentication and the calculation of the second ciphering 
key K are preferably carried out as illustrated in Figure 2 using the mobile net- 
work GSMNW. In this case the terminal MT calculates 305 (Calculation of K) 
the second ciphering key K. If the authentication is acceptable, the PAC re- 
ceives 306 (Reception of K) the second ciphering key K calculated by the 
GAGW. The PAC sends 307 (Authentlcationjnfomiation) the AP the second 
ciphering key K and infomis about a successful authentication, in which case 
the AP links the K to the MAC address of the tenninal MT. The PAC preferably 
mfomis 308 the MT about the successful authentication 

(PAC_MT_AUTHANSWER_RESP_OK) through the AP utilizing the same 
35 message. 

After receiving the second ciphering key K. the AP sends 309 



20 



25 



30 



ID: <WO_02t>373Qrt-| | j. 



wo 02/03730 



lT/FIOl/00617 



11 

(Put_WEP_on) a request to the MT concerning the use of the WEP algorithm 
for data ciphering. The MT aci<nowledges 310 (Put_WEP_on_ack) the re- 
quest, so that the starting point of data ciphering is correctly timed. After this 
the second ciphering key K is applied in the IVIAC layer of the MT, and the MT 
5 enciphers the data to be sent and deciphers the received enciphered data 
311 (Cipher data with K and WEP) using the K and the WEP algorithm. The 
AP also starts to use 312 (Cipher data with K and WEP) the K and the WEP 
algorithm for enciphering data directed to the MT and for deciphering data re- 
ceived from the MT. The AP checks the temiinal MT MAC addresses of the 
10 received data and performs deciphering for data arriving from the MAC ad- 
dress and correspondingly enciphers the MT data directed to the MAC ad- 
dress. In this case, the K is rapidly initiated and data ciphering can be started. 

Another alternative way to initiate the second ciphering key K after 
the message 308 (223) is to utilize other IEEE802.11 protocol messages. The 
15 MT may perform deauthentication for the open system authentication (301, 
302) instead of the messages 309 and 310. After deauthentication the MT 
may request a shared key authentication of IEEE802.11 standard from the 
access point. Thereafter, the four frame (first, second, third, final) transmission 
known as such from IEEES02.11 standard is carried out in order to be able to 
20 observe that both parties comprise the same shared key. In such a case the 
shared key is the second ciphering key K. If the shared key is successfully au- 
thenticated, the process proceeds to ciphering 311, 312. The advantage 
achieved is that it is possible to use the messages of IEEE802.1 1 protocol. 

If a handover is performed for the terminal to a new access point 
25 the old access point may transmit the second ciphering key K to the new ac- 
cess point. Consequently, data ciphering can be offered also after handover. 

Figure 4 illustrates in accordance with a prefenred embodiment of 
the invention enciphering means ECM included in the access point AP and the 
terminal MT for enciphering data using the second ciphering key K and the 
30 WEP algorithm. Both the MT and the AP encipher the frames as shown in 
Figure 4. The second ciphering key K is concacenated with a 24-bit initializa- 
tion vector IV so as to fomi an input 401 for a WEP pseudorandom number 
generator WPRNG. The WPRNG provides a key sequence 402 which is as 
long as the number of data octets to be transfen-ed + 4. This is earned out be- 
35 cause an integrity check value ICV 404 fomied of a plain text 403 in an integ- 
rity algorithm lA is also protected. The plain text 403 is combined with the in- 
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tegnty check value ICV 404 and a result 405 (Plain text + ICV) is applied to be 
combined with the key sequence 402. The key sequence 402 is thereafter 
combined with the plain text and the ICV 405 using an XOR operation Enci- 
phered data 406 can then be applied to the radio path for transmission ' 
5 The initialization vector IV is also transmitted with the enciphered 

data 406 in a message to be sent. The value of the IV is preferably changed 
for each packet to be sent, as this complicates the operation of an eavesdrop- 
mTJ^T °' enciphering data extends a MPDU unit 

(MAC Protocol Data Unit) to be sent by 8 octets: 4 octets for the initialization 
10 vector IV and 4 octets for the Integrity check value ICV. 

Figure 5 shows deciphering means DCM included In the access 
point AP and the temiinal MT for deciphering enciphered data using the sec- 
ond ciphering key K and the WEP algorithm. When the AP or the MT receives 
an enciphered message MPDU sent over the radio path, the operations de- 
15 scnbed in F.gure 4 are carried out in reverse. A combination 504 (K+IV) of an 
inmalization vector IV 502 and a secret key K 503 of the received message 
MPDU IS fed rnto the WEP pseudorandom number generator WPRNG and a 
key sequence KS 505 is obtained. An XOR operation is perfomied for the key 
sequence KS 505 and the enciphered data 501 . An original plain text 506 and 
0 an integrity chock value ICV 507 are obtained therefrom. An Integrity check 
can be earned out for the plain text 506 using an algorithm lA. An obtained 
check value ICV 508 can be compared 509 (ICV=ICV?) with the ICV If they 
are not identical, then the received MAC protocol unit is erroneous 

The invention can also be applied In a telecommunication system 
0 supporting a mobile IP. The telecommunication system supporting the mobile 
IP comprises mobility agents supporting the IP mobility, i.e. home agents HA 
and foreign agents FA. The home agents tunnel the packets directed to the 
tenninal in the visiting networic of the temiinal to register with the foreign agent 
which fonvards the packets to the terminal. ' 

In accordance with a preferred embodiment the visiting wireless lo- 
cal area network of (he temiinal MT may employ one or more mobility agents 
The MT communicates with the mobility agent, which in turn communicates 
with the GAGW The same operations can then be perfomied as illustrated in 
Figure 2. except that the PAC is compensated with a mobility agent (HA or 
FA). Data transmission between the MT and the mobility agent is camed out 
with an mobile IP message comprising an extension. The MT may request 
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(204) for authentication using a registration request message comprising a 
network identifier NAI. The GAGW can operate as shown In Figure 2. The 
mobility agent preferably responds to the authentication request by replying 
(211) with a registration reply comprising the challenge codes (RAND). The 

5 tennlnal MT can in turn send a new registration request message comprising a 
check response SIGNsres to the mobility agent. Later on the MT can be in- 
formed about a successful authentication with a reply message. If the authen- 
tication is successful the calculated second ciphering key K can be imple- 
mented in the terminal MT and in the access point AP. 

^0 The functionality of the invention described above can be imple- 

mented in processors comprising the temiinal MT and the networic elements 
(AP, PAC, RAGW) preferably by software. It is also possible to use harelware 
solutions, such as ASIC circuits (Application Specific Integrated Circuit) or 
separate logic. 

.,5 It is obvious for those skilled in art that as technology progresses 

the basic Idea of the Invention can be implemented In various ways. The In- 
vention and its preferred embodiments are therefore not restricted to the ex- 
amples above but may vary within the scope of the claims. 
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1. A method for arranging data ciphering in a telecommunication 
system comprising at least one wireless terminal, a wireless local area network 
and a public land mobile network, the method comprising the steps of 

offering an identifier for the temiinal and a specific secret key for the 
Identifier, the secret key also being stored in the mobile networi<. 

sending the temiinal identifier fi-om the terminal to the mobile net- 
work. 

calculating in the mobile network at least one first ciphering key ao 
cordmg to the mobile network using the secret key specific for the identifier 
and a challenge code selected for the first ciphering key, 

sending at least one challenge code to the terminal, 
calculating in the temiinal at least one first ciphering key according 
to the mobile network using the secret key and at least one challenge code 
15 characterized by 

canying out data transmission between the mobile network and the 
temiinal through the wireless local area network, 

calculating a second ciphering key in the temiinal and in the mobile 
networit using said at least one first ciphering key, 

sending said second ciphering key from the mobile networic to the 
wireless local area networic, and 

ciphering the data between the terminal and the networic in the ter- 
minal and in the wireless local area networic using said second ciphering key. 
2. A method as claimed in claim 1, characterized by 
calculating at least one authentication response according to the 
mobile network In the temiinal and in the mobile networic on the basis of at 
least one challenge code and the secret key, 

calculating a check response in the temiinal on the basis of at least 
one authentication response and the first ciphering key, 

sending the check response to the mobile networic, 
calculating the check response in the mobile network on the basis 
of at least one authentication response and at least one first ciphering key, 

comparing the check response sent by the temiinal with the check 
response calculated by the mobile networic, and 

sending said second ciphering key from the mobile network to the 
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Wireless local area network in response to the fact that the check response 
sent by the terminal correspond with the check response calculated by the 
mobile network. 

3. A method as claimed in claim 1 or 2, characterized by 

5 sending a protection code from the terminal to the mobile network, 

calculating a check sum in the mobile network using the protection 
code and at least one first ciphering key, 

sending the check sum to the terminal, 
checking the check sum in the terminal, and 
-,0 calculating said second ciphering key in the temninal in response to 

the check sum being a correct one. 

4. A method as claimed in any one of the preceding claims, 

characterized by 

sending said second ciphering key to the access point of the wire- 
1 5 less local area network, the access point offering a wireless connecUon for the 
terminal. 

sending a request from the access point to the terminal conceming 
the use of a WEP algorithm, and 

. _ .j..x_ *~ U/.. in tha oor»oc<s nninf and In the terml- 

encipneriny me udiea oom. ■■■ ^.v^^ww- , 

_-i I ^«^.«^,^,.r./, the r*>re>vAH data iisina the WEP alaorithm and said sec- 

ond ciphering key 

5. A method as claimed in claim 4, characterized by 
feeding said second ciphering key and an initialization vector into a 

WEP pseudorandom number generator providing a key sequence. 
25 enciphering the data to be sent by performing an XOR operation for 

the plain text and the key sequence, and 

deciphering the received data by perfomning the XOR operation for 

the ciphered data and the key sequence. 

6. A method as claimed in any one of the preceding claims. 

30 characterized in that 

the terminal comprises a subscriber identity module SIM of the 

GSM system. 

the wireless local area networic supports IEEE802.11 standard, and 
the mobile networic supports GSM standard. 
35 7. A method as claimed in any one of the preceding claims, 

characterized by 
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calculating said second ciphering key by peri^ormlng a hash function 
for at least a part of the following parameters: at least one first ciphering key 
(Kc). at least one challenge code (RAND), a subscriber Identifier (IMSI) and 
the protection code (MT_RAND) calculated by the temiinal. 

8. A telecommunication system comprising at least one wireless 
temiinal. a wireless local area network and a public land mobile network 
where 

the mobile network comprises first calculation means (AuC) for cal- 
culating at least one first ciphering key according to the mobile network using a 
secret key according to an identifier sent by the terminal and a challenge code 
selected for the first ciphering key, 

the mobile networic is arranged to send at least one challenge code 
for the terminal, 

the terminal comprises an identity module (SIM) for calculating at 
least one first ciphering key according to the mobile network using the secret 
key stored in the identity module (SIM) and at least one challenge code, 
characterized in that 

the wireless local area network comprises means (PAC, AP) for car- 
rying out data transmission between the mobile network and the terminal, 

the temiinal and the mobile network comprises second calculation 
means (CM, RAGW) for calculating a second ciphering key using said at least 
one first ciphering key, 

the mobile network comprises means (RAGW) for sending said 
second ciphering key to the wireless local area networic. and 

the temiinal and the wireless local area networic comprises cipher- 
ing means (ECM. DCM) for enciphering/deciphering the data between the ter- 
minal and the wireless local area networic using said second ciphering key. 

9. A telecommunication system as claimed in claim 8 charac- 
terized in that 

the identity module (SIM) of the terminal and the first calculation 
means (AuC) of the mobile network are arranged to calculate at least one au- 
thentication response according to the mobile networic on the basis of the chal- 
lenge code and the secret key, 

the second calculation means (CM) of the terminal are arranged to 
calculate a check response on the basis of at least one authentication re- 
sponse and at least one first ciphering key, 
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the terminal comprises means (CM. TxRx) for sending the check 

response to the mobile networic, 

the second calculation means (RAGW) of the mobile network are 
arranged to calculate the check response on the basis of at least one authen- 
5 tication response and the first ciphering key, 

the second calculation means (RAGW) of the mobile network are 
arranged to compare the check response sent by the terminal with the check 
response calculated thereby, and 

the second calculation means (RAGW) of the mobile network are 
10 arranged to send said second ciphering key from the mobile network to the 
wireless local area network in response to the fact that the check response 
sent by the temiinal con-esponds with the check response calculated by the 
mobile network. 

10. A telecommunication system as claimed in claim 8 or 9. 

15 characterized inthat 

the wireless local area network and the temninal support 

IEEE802.11 standard, and 

the mobile network supports GSM standard, and 

the ciphering means (EGM, DCM) are an-anged to cipher data using 
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11. A wireless temiinal comprising a transceiver (TxRx) for estab- 
lishing a wireless connection with an access point in a wireless local area net- 
work and an identity module (SIM) for calculating at least one first ciphenng 
key according to the mobile network using a secret key stored in the identity 

25 module (SIM) and at least one challenge code sent by the mobile network, 
characterized inthat 

the terminal comprises second calculation means (CM) for calculat- 
ing a second ciphering key using said at least one first ciphering key. and 

the terminal comprises ciphering means (ECM. DCM) for encipher- 
30 ing/deciphering the data between the temiinal and the access point using said 

second ciphering key. 

12. A wireless terminal as claimed in claim 11. character- 
ized inthat 

the identity module (SIM) of the terminal is anranged to calculate at 
35 least one authentication response according to the mobile network on the ba- 
sis of a challenge code and the secret key. 
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the second calculation means (CM) of the terminal are arranged to 
calculate a check response on the basis of at least one authentication re- 
sponse and said at least one first ciphering key, and 

the temiinal comprises means (CM, TxRx) for sending the check 
5 response to the mobile network. 

13. A wireless terminal as claimed in claim 11 or 12, c h a r a c - 
terized in that 

the temiinal supports IEEE802.11 standard and the ciphering 
means (ECM, DCM) are arranged to encipher data using a WEP algorithm. 
10 14. An access point of the wireless local area network comprising 

ciphering means (ECM, DCM) for enciphering/deciphering data between a 
terminal and the access point, characterized in that 

the ciphering means (ECM, DCM) are arranged to encipher the data 
to be sent and to decipher the received data using a terminal-specific second 
15 ciphering key calculated by a public land mobile network, the second ciphering 
key being calculated using at least one first ciphering key calculated using a 
secret key specific for the terminal. 

15. An access point as claimed in claim 14, characterized 

in that 

20 the access point supports IEEE802.11 standard and the ciphering 

means (ECM, DCM) are arranged to encipher the data to be sent and to deci- 
pher the received data using a WEP algorithm. 
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